Getting exit code of a terminated process - McMap

About

Getting exit code of a terminated process

Asked 23/9, 2014 at 10:29 Answered 23/9, 2014 at 12:17

U

1

6

I'm debugging a process in WinDbg, and the process exited:

0:009> g
(bunch of regs...)
ntdll!NtTerminateProcess+0xc:
770ad43c c20800          ret     8
0:009> g
       ^ No runnable debuggees error in 'g'

At this point, how do I get the process' exit code?

Upton answered 23/9, 2014 at 10:29 Comment(0)

S

6

You could find it as the second argument of ZwTerminateProcess. NtTerminateProcess is just the kernel version of it, right?

0:000> kb
ChildEBP RetAddr  Args to Child              
003ff414 7774d5ac ffffffff 1234abcd 00000000 ntdll!ZwTerminateProcess+0x12
003ff430 759c79ec 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85
...

Or the fourth parameter of RtlExitUserProcess

0:000> kn
 # ChildEBP RetAddr  
00 003ff414 7774d5ac ntdll!ZwTerminateProcess+0x12
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85
...

0:000> .frame 01
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85

0:000> dd esp L4
003ff414  7771fcc2 7774d5ac ffffffff 1234abcd

Shira answered 23/9, 2014 at 12:17 Comment(2)

I think ZwTerminateProcess=Kernel, NtTerminateProcess=User. Anyways, works great, thanks! – Upton 23/9, 2014 at 12:32

In usermode, both Nt* and Zw* are the same function (note the same address for both symbol names): 0:048> x ntdll!*terminateprocess 774bbeb0 ntdll!NtTerminateProcess (<no parameter info>) 774bbeb0 ntdll!ZwTerminateProcess (<no parameter info> – Javelin 23/9, 2014 at 13:29

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.